Better Security, Together

PUMAKIT is a highly sophisticated loadable kernel module (LKM) rootkit that demonstrates advanced stealth and persistence capabilities, posing a significant threat to Linux environments. This multi-stage malware employs a layered architecture comprising a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit to avoid detection and maintain control. By hooking system calls and kernel functions, PUMAKIT enables privilege escalation, conceals its presence, and establishes covert communication with command-and-control (C&C) servers. Its ability to exploit Linux kernel mechanisms for stealth and control makes it a critical risk to organizational security.

PUMAKIT’s infection chain begins with a dropper disguised as a legitimate process, deploying memory-resident executables that execute payloads without leaving traces on disk. Using advanced fileless execution techniques it loads its rootkit components entirely in memory. A key stage involves executing a custom script that evaluates kernel conditions and decompresses the target kernel image for further exploitation. The LKM rootkit uses function hooks and symbol resolution techniques to manipulate core system behaviors, including hiding files, processes, and directories. Tools like rmdir, repurposed for privilege escalation, and custom scripts for kernel image processing are employed to evade detection while achieving persistence.

The rootkit’s capabilities extend to intercepting system calls for hiding directories and leveraging hooks for advanced kernel manipulation. Additionally, its integration of a userland shared object (SO) rootkit enables further stealth and persistence through user-space interactions.

Zloader, a modular Trojan based on leaked Zeus source code, has evolved significantly since its emergence in 2015. Initially designed for banking fraud, it has shifted toward enabling ransomware attacks by serving as an initial access broker. Its latest version, 2.9.4.0, introduces advanced anti-analysis measures, a custom DNS tunneling protocol for stealthy command-and-control (C&C) communications, and an interactive shell for hands-on keyboard activity, signaling an increased focus on evasion and operational resilience.

The infection chain employed by Zloader has shifted from broad spam campaigns to highly targeted, multi-stage attacks. These attacks often begin with luring victims into initiating Remote Monitoring and Management (RMM) sessions using tools such as AnyDesk, TeamViewer, or Microsoft Quick Assist. This social engineering tactic allows attackers to deploy additional malicious payloads, such as GhostSocks, which facilitates the installation of Zloader. Once operational, Zloader employs techniques like environment checks, modified API resolution algorithms, and encrypted configurations to evade detection. Its C&C communications leverage encrypted HTTPS traffic and a newly developed DNS tunneling protocol, further masking its activity. For instance, attackers use DNS A, and AAAA records to encapsulate encrypted TLS traffic, effectively bypassing conventional network monitoring tools.

Zloader’s continuous evolution underscores its critical role in enabling ransomware operators by serving as an initial access broker. With links to major ransomware campaigns, such as those involving Black Basta, its arsenal of tools—including interactive shell capabilities for executing binaries and exfiltrating data—equips attackers to conduct reconnaissance, deploy ransomware, and maintain persistence.